Configuring Users

This article describes what Users are and how they are normally configured with the default UserManager.

Introduction
Overview
Configuring Users
Configuring Users using the console

1 Introduction

This article describes what Users are and how they are normally configured with the default userManager in the Orion Application Server.

2 Overview

When you develop J2EE applications you normally only concern yourself with what security roles that are to have or not have access to a certain resource. Thinking in terms of security roles make it easy for you to think of how users will use your application without actually specifying whose these users are.

When a J2EE application is deployed, the deployer maps these Roles to security identities (Users and Groups in Orion Application Server), as described here.

Users can be part of any number of Groups as described here.

3 Configuring Users

In order to define available users these has to be made available to the Orion Application Server. As this is not yet covered by the specifications, every vendor is using its own proprietary way of administrating Users. To add users programmatically using the Orion Application Server the UserManager (Orion allows for custom UserManager classes to be created by implementing the UserManager interface) should be used as the example in listing 4 below shows:

principal = roleManager.createPrincipal(username, password);
roleManager.addToRole(principal, "nameOfGroup");
roleManager.store();

Listing 1: Example RoleManager usage

If the default UserManager (XMLUserManager) is used for the Application with the example given in listing 1 above, the user in question will be added to the Applications principals.xml file with an entry such as in listing 2 below.

<principals>
<users>
<user username="user" password="abc">
<group-membership group="nameOfGroup" />
</user>
</users>
</principals>

Listing 2: Example principals.xml entry

The entry given in listing 2 above defines that there is an user with the username "user" and the password "abc" that is part of the group named ="nameOfGroup".

Users can be added to the principals.xml file manually. Global users can only be added manually. Adding a user manually implies adding the neccessary information (as the example in listing 2 above shows) to either the principals.xml file of the application (normaly found in its deployment directory) or to the principals.xml file of the global application (normaly found in the /orion/config/ directory).

A globally defined User is known to all Applications deployed on the Server in question, while a locally defined User is known to the specific Applicaion only.

If authentication by client-certificates are to be used, additional information about the certificate-issuer and the certificate's serial identity is needed. Listing 3 below shows how this could look in a principals.xml entry.

<user username="user" password="abc">
<certificate-issuer>CN=abc, OU=def...</certificate-issuer>
<certificate-serial-id>123456</certificate-serial-id>
<group-membership group="nameOfGroup" />
</user>

Listing 3: Example principals.xml entry for user with client certificate

In Listing 3 above, a certificate-issuer (should match java.security.cert.X509Certificate.getIssuerDN().getName() ) and a certificate-serial-id (should match java.security.cert.X509Certificate.getSerialNumber() ) are given. If the site has been configured to request client certificates (described here), the Server will try to match the certificates of the client against the certificate information stated for the User.

For more information about how to set up a site for client-certificate authentication, please read this guide.

4 Configuring Users using the console

This section describes how to use the Orion Console to manage Users. The topics covered are:

Adding a User
Changing a User
Removing a User

4.1 Adding a User

This section describes how to use the Orion Console to add a new User to an Application.

Select the Application that a new User should be added to.
Select the "Users" node in the exploded list of nodes for the Application.

This should open up a Users and Group view in the right part of the Console.
Click the "Add User" button.

This should open a new window where the fiels username, real name, password and description can be entered.
State the necessary information about the User in the designated fields.
Press the 'OK' button

The new User should now be listed in the User section of the Users and Groups view.

4.2 Changing a User

This section describes how to use the Orion Console to change a User that already exists in a Application..

Select the Application that holds the User to be changed.
Select the "Users" node in the exploded list of nodes for the Application.

This should open up a Users and Group view in the right part of the Console.
Select the User that should be changed from the list of Users that the Application contains.

This should enable the 'Configure' button.
Click the "Configure" button.

This should open a new window where the information about the user can be changed.
Change the name information about the User in the designated fields.
Press the 'OK' button

The User should now be listed in its changed form in the Users section of the Users and Groups view.

4.3 Removing a User

This section describes how to use the Orion Console to remove an existing User from a Application..

Select the Application that holds the User to be removed.
Select the "Users" node in the exploded list of nodes for the Application.

This should open up a Users and Group view in the right part of the Console.
Select the User that should be removed from the list of Users that the Application contains.

This should enable the 'Delete Selected' button.
Click the "Delete Selected" button.

The User should now be removed from the list of available Users in the User section of the Users and Groups view.